The Case for a Cyber Monitoring Centre

James Burns

Head of Cyber Strategy at CFC

The Grange Pub in Cardiff is a typical modern British tavern. A short stroll from the city centre, it’s busy most days of the week. Weekends are packed, especially for Sunday lunch.

In March 2020 all that stopped. Government lockdown orders forced The Grange to shut. Within weeks the pub’s owners faced tens of thousands of pounds in losses. They filed a claim for lost income on their business interruption (BI) insurance. They weren’t alone.

Cyber insurers can sometimes feel like systemic risk is unique to them: it isn’t. The Covid pandemic was about as systemic as it gets. BI insurers faced an avalanche of claims following the first lockdowns. And the industry failed in the eyes of thousands of small business owners. The reason was a failure to address the perennial problem of systemic risk. The cyber market mustn’t repeat the same mistakes.

Perils of systemic risk

Insurers and capital markets have always fretted about systemic risk: exposure to a single event that triggers an enormous number of claims and a colossal, accumulated financial loss. The 1906 San Francisco earthquake spawned over 100,000 claims, costing insurers over $5 billion in today’s money. Nearly a century later, the 9/11 terror attacks triggered almost $50 billion in pay-outs across life, property, aviation, and liability policies.

Cyber insurers and the financial sector worry about similarly systemic scenarios. In 2017, a self-propagating malware named NotPetya targeted Ukraine, but quickly spread. It infected hundreds of thousands of computers in more than sixty countries around the world. The virus paralysed banks and hospitals, and crippled global shipping companies. With an estimated economic impact of $10 billion NotPetya is the costliest cyber event to date.

But it was a biological virus, rather than a digital one, which showed how potent systemic risk can be. The human cost of Covid was devastating. Almost 800 million recorded infections and close to 7 million deaths.

It was economically unparalleled. Sustained lockdowns over a two-year period decimated trade and services around the world. The International Monetary Fund (IMF) estimates the economic impact at $12.5 trillion.

The fluctuating scale of systemic events makes them hard for insurers to handle. Smaller events are manageable but massive ones could wipe out balance sheets. It can be impossible to tell in advance how big any given event might be. Yet policies need to be clear from the outset on which events they cover. Covid showed in horrifying fashion what happens when they fail to do so.

What not to do

The insurance industry’s response to the pandemic led to one of its worst reputational disasters in recent memory. As lockdowns set in around the world, nations of small business owners looked to their BI policies to plug financial holes.

In the UK alone approximately 370,000 businesses looked to claim. Insurers denied paying out, saying their policies didn’t cover the pandemic. This was despite many including cover for infectious disease outbreaks.

This triggered a tsunami of complaints to the Financial Conduct Authority (FCA), the UK’s financial regulator. Which led to high-profile legal battles against insurers.

Mass legal action ensued in other countries too. In the US, policyholders have filed around 2,500 lawsuits against insurers, many of which are ongoing in state and federal courts. Insurers have also faced suits in Canada, Australia, and across Europe.

Insurance can’t cover everything. Policies must protect the market against the uninsurable, otherwise the market could fail. But the sheer volume of lawsuits, following declined Covid BI claims, suggests the industry got something wrong. Court judgments in favour of claimants seem to confirm it.

Details of the various legal actions and test cases are numerous and complex. But they boil down to the same thing: customers thought they had cover for an event which – according to their insurers – they didn’t.

One case before the UK Supreme Court looked at the issue of “radius wordings”. These were BI policies sold to tens of thousands of small businesses. They covered lost income due the occurrence of infectious diseases within a set radius, or distance, of the insured’s premises; typically, a vicinity of between five and twenty-five miles.

Insurers argued that it wasn’t any local occurrence of Covid that led to loss. Rather it was government action taken at national level, for which – they said – there was no cover. The court disagreed. They found that each occurrence of Covid was an equal cause of government action, which was inextricably linked to all cases.

Another case looked at wordings where cover for closure due to infectious disease and closure due to government restriction were found in different parts of the policy. A policy extension covered government restriction losses but excluded restriction due to infectious disease. Insurers argued this showed their intent not to cover lockdown related claims. Again, the court disagreed, stating that an exclusion under the extension did not apply to the rest of the policy.

In the UK, court rulings so far have forced insurers to accept almost 40,000 claims that they otherwise wouldn’t have. In other countries, judgements have been more mixed.

But even where courts have found in favour of insurers, the fact that litigation was pursued suggests policies were not clear enough. And mass claim denials during a public crisis drove a PR backlash which shattered the industry’s reputation.

Lack of clarity

The core problem was a lack of clarity. Policies failed to address major systemic events, like Covid, in crystal clear fashion.

Insurers wanted to cover small-scale infectious disease scenarios but not large, widespread events. So they crafted detailed policy language – like radius clauses – to reflect this. But by getting more detailed the language also got too specific. It didn’t actually address the scenario which transpired. Covid slipped between the cracks in the wording.

More detailed language also meant more complicated language. Policyholders struggled to understand what the product’s intent was. Insurers and their lawyers knew what they meant – but their customers didn’t.

This didn’t play well in court. The judge presiding over a UK test case emphasised that the key question was how the policy would be understood by a “reasonable person”. They explained that a reasonable person in this case was “not a pedantic lawyer who will subject the entire policy wording to a minute textual analysis.” But rather “an ordinary policyholder who, on entering into the contract, is taken to have read through the policy conscientiously in order to understand what cover they were getting.”

Cyber insurers need to be careful not to fall into the same trap. The list of systemic risk exclusions in cyber policies is long and growing. They tend to be scenario-specific which creates gaps. And technical language is being used to address complex issues like digital infrastructure failure and mass vulnerability exploitation. Brokers and underwriters – let alone policyholders – can struggle to pinpoint where cover starts and stops.

War is a prime example. Recent updates to war exclusions brought greater clarity to many. Cyber war has been better defined and it’s clearer when the language triggers. But many of these exclusions are now more detailed and more specific. That could be troublesome for insurers, if Covid experience is anything to go by.

Plus, they do nothing to address systemic risk stemming from non-nation state actors. And the market has also engulfed itself in debate on “collateral damage” and “bystanding assets”. Such lack of alignment should be a cause of concern to all.

Cyber insurers face the same challenge as their BI counterparts. It’s hard to delineate between the attritional claims that they want to cover, and the catastrophic events that need a different approach. A new malware strain – like a new infectious disease – might impact one victim, many victims, or thousands of victims at once.

The market must agree on where the lines get drawn. This means agreement on how to define systemic risk in the first place. The US property market could help on that front.

The Case for a Cyber Monitoring Centre

Weather events also vary from the small-scale to the extreme. The wind in Florida can blow a light breeze one day or a category five hurricane the next. Property insurers need to be able to delineate between the two. They’re able to because everyone agrees on what a hurricane is.

A group of weather experts staff The National Hurricane Centre (NHC) in Miami. Their job is to identify and classify extreme weather events. They decide when a storm becomes a hurricane. And they assign it a severity rating of one through five.

Insurers use this designation to delineate between regular and extreme weather events in policies. And they’re able to buy reinsurance for the most extreme events because there is a clear and unambiguous trigger. This attracts reinsurers who can better model the risk.

The digital world is in desperate need of a comparable system. We need to be able to identify and classify “cyber hurricanes” so that we can manage the risk they pose. An independent body set up to do this would bring many benefits.

First, it would foster a shared understanding of what a systemic cyber event is. Existing definitions are unclear and inconsistent. This breeds uncertainty around what they do and don’t cover. A transparent classification system defined by an independent body fixes this problem.

These events would then become easier to reinsure. Clear definitions mean objective policy triggers, reducing ambiguity around cover. Systemic exposure would become more certain and easier to model. This would attract more reinsurance and third-party capital, creating a true cyber catastrophe market. Just like property.

More accurate modelling would bring better calibrated reinsurance pricing. Insurance premiums would reduce, bringing more customers to market. They’d buy a simpler product because the multitude of existing systemic exclusions could be scrapped. They’d be replaced with a single catastrophe exclusion tied to a declaration made by the body.

But because of the increased reinsurance appetite for catastrophe risk, customers could buy this cover back. This would make the product easier to sell, especially for non-specialist brokers outside the US, where 90% of businesses still don’t buy. Giving customers choice here would also ease the burden on the reinsurance market as not all will need or want to buy it. Most important of all, the market would be aligned on how cyber insurance responds to major events. And the industry could sleep better, knowing that all systemic risk is being properly addressed.